nadezhda.ivanova at postpath.com
Thu Oct 29 02:30:41 MDT 2009
Can you tell me which docs? Maybe I am wrong, but solving such problems by adding an exception to the schema consistency seems decrease stability. Today its a hack in ACL module, tomorrow a hack in another. What is the particular reason to do it this way?
----- Original Message -----
> From: Andrew Bartlett <abartlet at samba.org>
> To: Nadezhda Ivanova <nadezhda.ivanova at postpath.com>
> Cc: mwallnoefer at yahoo.de <mwallnoefer at yahoo.de>, samba-technical at samba.org <samba-technical at samba.org>
> Sent: Wednesday, October 28, 2009 6:44:21 PM GMT+0200 Europe;Athens
> Subject: Re: clearTextPassword attribute
> > On Wed, 2009-10-28 at 18:09 +0200, Nadezhda Ivanova wrote:
> > Hi Matthias,
> > Unfortunately the similarity between clearTextPassword and
> > does not help in this case, because we do not not care whatsoever
> > about syntax or function, only access rights granted. In 99% of the
> > cases we rely on the dfeaultSecurtyDescriptor or inherited ACEs to
> > determine access, and by default we may have rights given to
> > self or administrator over unicodePwd, but never on
> > I suppose I could, in acl module, handle clearTextPassword
> > by checking for the rights of unicodePwd instead, but it will be an
> > ugly hack... And the whole idea of being allowed to use an attribute
> > that is not actually in the schema breaks a ground rule...
> And a hack you should use. I got the name clearTextPassword from
> Microsoft's own docs. Just apply the same rights as unicodePwd to any
> update to userPassword, clearTextPassword, unicodePwd or dbcsPwd.
> In short, password handling is special, particularly once you get to
> password changes.
> I would expect this is actually a special right, but perhaps they just
> use unicodePwd.
> Andrew Bartlett
> Andrew Bartlett
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Cisco Inc.
More information about the samba-technical